Forensics & IR
DFIR (Digital Forensics and Incident Response)
Also known as: Digital forensics and incident response
Definition
A combined discipline that fuses digital forensic investigation with incident response to detect, contain, eradicate, and learn from cyber incidents.
Examples
- A DFIR retainer activates after a ransomware detonation: triage with Velociraptor, image key hosts, and write a containment plan.
- Reconstructing an APT intrusion across endpoints and cloud logs to identify initial access and lateral movement.
Related terms
Digital Forensics
The scientific discipline of identifying, preserving, analysing, and reporting on digital evidence from computers, networks, and devices in a legally defensible way.
Incident Response
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.
Incident Response Plan
A documented, approved playbook that defines how an organisation prepares for, detects, contains, eradicates, recovers from, and learns from cyber incidents.
Chain of Custody
The chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.
Threat Hunting
Threat Hunting — definition coming soon.
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.